Sponsored link

Tuesday, June 03, 2008

Not again badly that my system got infected by something that resides at temporary folder with name ena1.tmp having size 172KB, sometimes the name ena1.tmp got itself replaced with other name. Whatever, not lately I restored off my system and scanned using the beta version of Kaspersky Antivirus 8, and the whole lot infected virus was determined to be Virus.Win32.Parite.b which was a step ahead from its parent Virus.Win32.Parite.a both of these are purely parasitic viruses which modify the code of the infected file. The infected file remains partially or fully functional.

The KAV displayed the following notice every time the infected file/folder was scanned.

Detected--------Status Object------ ------will be deleted when the computer is restarted: virus Virus.Win32.Parite.bFile: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ena1.tmp//UPX

To the sadness after the complete scanning and rebooting the system the virus was still resided at the %temp% folder. Later delving thoroughly, it was found that the virus Virus.Win32.Parite.b replicated itself into the System Volume Information system folder of the local drive and the pen drive as well. Surprisingly, in my JetFlash V110 pendrive there used to be no such system folder as System Volume Information. And with no further lingering, I just deleted it using TuneUp Shredder and all such unwanted files were deleted successfully, and finally a decisive full system scan was done to eliminate all the infected files and the virus itself.

Parasitic viruses are grouped according to the section of the file they write their code to:

Prepending: the malicious code is written to the beginning of the file

Appending: the malicious code is written to the end of the file

Inserting: the malicious code is inserted in the middle of the file

Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.

File and Boot Viruses here is very useful information on aliases and coding of the virus we are dealling with:

The virus consists of a dropper, which is witten in assembler, and the virus part itself, written in Borland C++. When an infected file is launched, the control flow is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure. The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.

The virus doesn't manifest itselfs presence in any way. The structure of infected file looks like this: